Your guess is as good as mine. I simply want to FTP and have my very small group of clients also have the ability to upload their files.

My tech INSISTS that opening ports 35000_36000 in APF presents a major security hole. His recommendation is that I use FTP/SSH2 as its more secure and guaranteed to work.

He doesn't seem to understand that I am not leasing a server to secure the internet. By his reasoning, I should turn down the server because it will be more secure that way. I mean, every open port is vulnerable right?

I'm confused and entirely frustrated. I've lost days trying to deal with this. If I get a resolution, I will be sure to share.

I'm not surprised. APF is a great firewall script, but I've seen many servers where it simply doesn't work. The advice you were given was completely correct regarding both the holes in the firewall and the most secure way to allow FTP (SFTP) access, though the latter is not ideal for many.

I'd strongly recommend you simply don't use APF and look to using one of the other many and varied iptables configuration scripts. One that I use with success when APF proves too buggy is KISSMyFirewall:http://www.webhostgear.com/index.php?art/id:87

IIRc, you can do it with KISS, but have to hack out the module checks within the script. You do have to be sure the modules are correctly compiled in, though, or you'll be locked out For testing I'd suggest an iptables stop cron job running every 5 minutes so you don't have to resort to the console.